I have a program that users want to download. Instead of offering a link to download and they download the program and enter the information, I would rather have my PHP script do it.
My website requires a username and password to login, there is a private page where a user can download a file. When a user goes to the "download" page, there is specific options on the page the user must choose. Once the choices are selected and the user clicks "Download", I want PHP to go to my programs source, add the missing data inside the source, compile it into a .exe, and bring it back to the user.
Thing is, I have no idea how to do this and im scared that PHP will put the information for one user and accidently give one users information to everyone else.
How can I make it that each binary is different?
I'm currently making my program in Windows (using Code::Blocks) but im going to be hosting the files on a Linux or FreeBSD server. Just wanted to let that out incase there is something I need to know.
Since you're in effect allowing the user to enter arbitrary code onto your server, this seems like a serious security risk. Why is customization of the executable needed? Could it be a configuration file?
If you want to go ahead with this, it can be done pretty easily. Perhaps use a templating engine like Mustache (not the C++ language feature templates). Write your source files to include this mustache templates.
When the user has posted the info, you just need to run the command to apply the template to get the finished source, then run your makefile to generate the finished executable. Then you can give it like anything else.
If you want to make sure the users can't get the same binary, an easy way would be to delete the finished executable after each run. There's better ways of doing this, but this is easy.
Related
Just as the question says... I've read up a few articles, others says just don't do it, but yet fail to mention a safe way. I know it hazardous to give it sudo access or root, but I was thinking about running a script that has root access through root.
One post was talking about a binary wrapper, but I did not fully understand it when I attempted it and when I tried to do a search to understand I didn't find anything that explain it well.
So, what would be a good-safe way? I don't even need to have a detailed explanation. You can just point me to a good source to start reading.
Thanks.
Specs:
Ubuntu Server 14.04
EDIT:
Commands I am talking about is mkdir, rmdir with an absolute path. Create user, remove user (which is why I need root) and edit some Apache files for me.
They fail to provide a safe way because, IMHO, there isn't one. Or, to put it another way, are you confident that your code that protects the create user and add user functions is cleverer than the hackers code that tries to gain access to your system via the back door you've built?
I can't think of a good reason for a web site to create a new system-level user. Usually web applications run using system users that are created for them by an administrator. The users inside your web site only have meaning for that web site so creating a new web site user gains that user no system privileges at all. That said, it's your call as to whether you need to do it or not.
In those cases where system operations are necessary a common approach is to build a background process that carries out those actions independently of the web site. The web site and that background process communicate via anything that works and is secure - sockets, a shared database, a text file, TCP-IP, etc. That separation allows you to control what actions can be requested and build in the necessary checks and balances. Of course it's not a small job, but you're not the first person to want to do this so I'd look for an existing tool that supports this administration.
I want to prevent coping my custom made CMS from domain to domain and I want that it is operable only on a doain that it is bought for and onluy for the period 1, 2 years from the purchase.
The code generation part is not a problem, but how to prevent it from modifying from hackers is the hardest part.
E.g. something like vBulletin protection. (I know it can be nulled too)
How to implement such thing into my CMS written in php?
I think it needs to be spread through the whole app on various places the variable check and masked in some ways, so the dependencies is not easy to detect and remove.
I know that it is very difficult and hard topic, so I appreciate some direction like book, web discussion or article.
Btw. connecting to my server and checking if the domain is ok is not an option, my servers could be down and the clients as a result of not possible connection too.
You could do a combination of things..
New client domains can be given generated license keys that are unique to each of your client's install that is need for your software to work. The key should be bound one per hosted domain and should be stored remotely on your servers as well as locally on the client install.
When you or someone else is installing the cms for the first time make it required to enter the license key and verify it with a remote server. This should suffice for the initial setup time. Store some info about the server in your remote database. If this remote procedure fails installation should render unsuccessful. Think of clever ways to make this necessary and required like fetching an encryption key to be stored in the database.
During or after install you can generate encryption keys (or not) and store something unique in a file on the app server that is required by your code. Super cheap would be to create the file /MY-CUSTOM-CMS-LICENSE.txt with the key in plain text right inside it. This can be another vector for verification later on. Should you discover a website which has copied your cms you can check this txt file.
Have your software call home to your server every now and then sending the key plus some server info (ip, host, etc). It does not have to be dependent on your server to run. Meaning you can let the software run if it fails. It is just very helpful to call home every now and then. For example every X days to ping a url on your server and if your server is down just have it do the call home check the next day. One reason why this is so handy is if your client copies the app folder from one domain to another domain to setup a second illegal site, as soon as they run index.php file it will call home. And if they have not checked every line of your code and don't know it even does this they would be caught rather easily. All you need to do is check some kind of log of who 'called home' so to speak.
Write up proper software license agreement with the terms for your product and place it in a file called LICENSE located in the root directory of your app. This will ensure clients (and their developers) are aware it is not free to copy and reuse. Later if someone copies it, you (or your lawyers) can point to the file and say 'didn't you read this jerky-boy'
Make something (or many things) in your code unique to your code. For example wordpress' admin by default is /wp-admin and almost every single file in their app starts with wp- which makes it easy to detect. Add the entire app in a special folder. Add a meta tags to all output like <meta name="generator" content="vBulletin 4.0.4" />. There are many other things you can incorporate and write into your app that could be tell tail signs it is your code. The point is to have so many things that make the job of removing everything a daunting task or just annoying to the thief. I don't think anyone would be crazy enough to refactor all your code just to steal it. If they do remove these code bits and resell/reuse it you have an even stronger case for litigation.
You could write a script to crawl the web (ugh) or just do searches on google or even setup Google alerts to notify you if any of detectable methods you placed in your app are found (like in #3, #4, #5, #6, #8)
You could buy a CDN like www.maxcdn.com and host a JavaScript file on there and put that into your code. <script src="http://cms-headquarters.example.com/license.js"> since it is on a CDN is has very small chance of failing and if it goes down for a week that's OK too, all you need to do is check who hasn't hit your server.
Obfuscate some of your code for an added annoying deterrence.
On how vbulletin does it:
http://www.sitepoint.com/forums/showthread.php?281666-How-does-the-vBulletin-License-work
https://www.vbulletin.com/forum/showthread.php/338346-Easy-Way-To-Find-Nulled-vBulletins
Finally here's a PHP class that tries to offer a partial solution: PADL (PHP Application Distribution License System)
I'm trying to figure out if there's a way in PHP to open a file on a user's desktop (i.e., the user select a file from a file list shown on a PHP page, and then the file opens with the appropriate program on the user's desktop as if the user had double-clicked it in the GUI.) After searching for a while, I discovered that this is possible via some convoluted-looking code using the COM object in PHP, but that's only going to work for Windows users and I'm trying to keep this platform agnostic.
Has anyone else ever tried to do this and succeeded?
You can't execute an application on the user's machine without either a lengthy "user consent" process, or the user voluntarily (and, ideally, knowingly) installing some software component.
I think the cleanest way might be to use a (signed!) Java applet.
Otherwise you could try and make the user register a specific protocol, with a suitable protocol handler, that you would let download and install on the user's system to intercept a link such as exec://format%20C%2C ;-)
Unfortunately, the file:// protocol is (understandably) restricted. For example, in Firefox it will work (somewhat) if you insert manually "C:\" in the address bar and navigate. If you click on those links they will (somewhat) work. Copy the same links in a document in a different security context (e.g. Internet) and lo and behold, it won't work.
Another possibility would be to backdoor all the intranet clients with, um, REXECd (available on most platforms) or some clone. Then when the user clicks, you send the command from PHP to the user's workstation. Since nowadays PC's are multiuser platforms, you'll need some quick legwork to determine how to do the deed. E.g. on a Linux box you'd have to run a X application with the appropriate ownership and DISPLAY value.
You could also "recognize" the user's platform and let the user download an appropriate batch file, either .sh or .bat or .cmd; but they would need a click to download, one to approve, one to open the executable.
You can't run files on client. It's a big security hole and browser will not allow you do that.
On windows you can use ActiveX, but client must allow installing ActiveX component, and you will have many problems with it.
I would like to create a simple notification icon that would display a number in the users system tray.
The application only needs to allow the input of an API key that it would use to fetch information from the server. So, for example:
http://www.example.com/api.php?key=dfg45tgyy67h
The PHP file will return two values, a number, and a URL. The number should appear in the system tray, and clicking on it should take you to the URL. The application should update the information at a specified interval, which can be hard-coded into the application.
I really have no idea how to do this, but can pick up things like this pretty quickly. So I would like to know some ways to accomplish this, or what the easiest method to use would be.
EDIT When I said PHP what I meant was that on the server it would be a PHP file serving up the information to the application. I didn't plan on creating the client application in PHP.
You can't do this with PHP as it has no way of interacting with a user's computer and and that includes the system tray. You'll need to write something that will run on their computer and then polls your PHP script for this information.
Use a cross-platform language and widget toolkit with both browser launching and system tray capabilities.
I'm building a self-hosted web app using CodeIgniter and I need a nice GUI-ified installer which will present the user with a form for database info, validate and test the info, write that info to the database.php config file, and then set up the DB structure.
Any tips for this? Should it be inside of CodeIgniter (as a Controller perhaps) or should it be its own thing (perhaps an 'install' folder which would be a sibling of 'application' and 'system')? Any projects I could look at for inspiration?
Obviously it's not a hard task but I just didn't want to reinvent the wheel so I thought I'd ask first.
It would be a much more integrated experience to have the settings page be within the web application.
However, you'll have to make sure that settings don't render the application unusable, since the user would then be locked out of making further changes.
This also has the added benefit of not having any further software requirements. If you build a native GUI, extra libraries would likely be needed.
I have an application that I am writing that will sit most of the CodeIgniter code outside the web directory. When the user downloads my code, they will need to extract it, then run either a bash or vbscript to set it up. There is no way of doing this from inside a web page that I can think of.
User downloads code.
User extracts code to temp directory.
User runs setup script (as root / administrator).
Script moves sections of code to appropriate places on the file system.
Script asks for credentials (DB, etc) and inserts them into appropriate file(s).
Script chmod's files and directories to appropriate permissions (some need write, some do not).
Is there any way to do this inside a webpage ?
I ended up using a pre_controller hook to do the check and redirect if necessary.